Description
In the Linux kernel, the following vulnerability has been resolved:

ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()

In vti6_tnl_lookup(), when an exact match for a tunnel fails,
the code falls back to searching for wildcard tunnels:

- Tunnels matching the packet's local address, with any remote address
wildcard remote).

- Tunnels matching the packet's remote address, with any local address
(wildcard local).

However, vti6 stores all these different types of tunnels in the same
hash table (ip6n->tnls_r_l) prone to hash collisions.

The bug is that the fallback search loops in vti6_tnl_lookup() were
missing checks to ensure that the candidate tunnel actually has
a wildcard address.
Published: 2026-06-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ip6_vti module in the Linux kernel contains a flaw in vti6_tnl_lookup(): when an exact tunnel match fails, the routine falls back to searching wildcard tunnels but does not confirm that the candidate tunnel actually has a wildcard address. This oversight can allow hash collisions to cause packets to be associated with an unintended tunnel. The consequence is that traffic may be routed through a wrong tunnel or dropped entirely, resulting in misrouting or a local denial of service.

Affected Systems

Linux kernel builds that incorporate the unpatched ip6_vti module are affected. All Linux distributions running such kernel versions without the recent fix are susceptible.

Risk and Exploitability

The CVSS score of 9.8 indicates high severity, while an EPSS score of less than 1% suggests a low likelihood of exploitation. The flaw is not included in the CISA KEV catalog. Based on the description, it is inferred that an attacker could craft IPv6 packets designed to trigger the faulty lookup, thereby potentially causing misrouting or a local denial of service. The vulnerability does not require elevated privileges; it can be triggered by sending targeted IPv6 traffic to the affected system.

Generated by OpenCVE AI on June 28, 2026 at 14:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the vti6_tnl_lookup() fix for the ip6_vti module.
  • Reboot the system or reload networking services so that the updated kernel module is loaded.
  • If an upgrade cannot be performed immediately, disable unused VTI tunnels or restrict traffic that could trigger the lookup to reduce risk.

Generated by OpenCVE AI on June 28, 2026 at 14:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1289
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() In vti6_tnl_lookup(), when an exact match for a tunnel fails, the code falls back to searching for wildcard tunnels: - Tunnels matching the packet's local address, with any remote address wildcard remote). - Tunnels matching the packet's remote address, with any local address (wildcard local). However, vti6 stores all these different types of tunnels in the same hash table (ip6n->tnls_r_l) prone to hash collisions. The bug is that the fallback search loops in vti6_tnl_lookup() were missing checks to ensure that the candidate tunnel actually has a wildcard address.
Title ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:40:33.070Z

Reserved: 2026-06-09T07:44:35.392Z

Link: CVE-2026-53221

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53221 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:15:08Z

Weaknesses
  • CWE-1289

    Improper Validation of Unsafe Equivalence in Input